Abstract
It has been increasingly important for Pervasive and Ubiquitous Applications (PUA) of the network traffic, especially anomaly detection which plays a critical role in enforcing a high protection level of the network against threats. In this paper, we present a network traffic anomaly detection method based on the catastrophe theory. In order to characterize the normal behavior of the network, we construct a profile of the normal network traffic by using an equilibrium surface of the catastrophe theory. When anomalies occur, the state of the network traffic will deviate from the normal equilibrium surface. Then, taking the normal equilibrium surface as a reference, we monitor the ongoing network traffic and we use a new index called as catastrophe distance to quantify the deviation. According to the decision theory, network traffic anomalies can be identified by the catastrophe distance. We evaluate the performance of our approach using the DARPA intrusion detection data set. Experiment results show that our approach is significantly effective on the network traffic anomaly detection.
Similar content being viewed by others
References
Roesch M (1999) Snort–lightweight intrusion detection for networks. In: Proc of LISA ’99: 13th systems administration conference, pp 229–238
Paxson V (1999) Bro: a system for detecting network intruders in real-time. Comput Netw 31(23):2435–2463
Beghdad R (2004) Modelling and solving the intrusion detection problem in computer networks. Comput Secur 23(8):687–696
Horng S, Fan P, Chou Y et al (2008) A feasible intrusion detector for recognizing IIS attacks based on neural networks. Comput Secur 27(3-4):84–100
Lippmann R, Fried D, Graf I et al (2000) Evaluating intrusion detection systems: the 1998 DARPA off-lineintrusion detection evaluation. In: Proc of the DARPA information survivability conference and exposition. IEEE Computer Society Press, Los Alamitos,
Lippmann R, Haines J, Fried D et al (2000) The 1999 DARPA off-line intrusion detection evaluation. Comput Netw 34(4):579–595
Mahoney M, Chan P (2001) PHAD: packet header anomaly detection for identifying hostile network traffic. Florida Institute of Technology technical report CS-2001-04
Barbara D, Wu N, Jajodia S (2001) Detecting novel network intrusions using Bayes estimators. In: Proceedings of the 1st SIAM international conference on data mining, Chicago, pp 24–29
Yegneswaran V, Giffin J, Barford P et al (2005) An architecture for generating semantics-aware signatures. In: USENIX security symposium, Baltimore, MD, USA, 2005, pp 97–112
Paschalidis I, Smaragdakis G (2009) Spatio-temporal network anomaly detection by assessing deviations of empirical measures. IEEE/ACM Trans Netw 17(3):685–697
Qiao Y, Xin X, Bin Y et al (2002) Anomaly intrusion detection method based on HMM. Electron Lett 38(13):663–664
Lakhina A, Crovella M, Diot C (2005) Mining anomalies using traffic feature distributions. In: SIGCOMM ’05, New York, NY, USA. ACM Press, New York, pp 217–228
Lee S, Heinbuch D (2001) Training a neural-network based intrusion detector to recognize novel attacks. IEEE Trans Syst Man Cybern, Part A, Syst Hum 31(4):294–299
Ziviani A, Gomes A, Monsores M et al (2007) Network anomaly detection using nonextensive entropy. IEEE Commun Lett 11(12):1034–1036
Xie Y, Yu S (2009) A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans Netw 17(1):54–65
Mai J, Sridharan A, Chuah C et al (2006) Impact of packet sampling on portscan detection. IEEE J Sel Areas Commun 24(12):2285–2298
Paschalidis I, Smaragdakis G (2009) Spatio-temporal network anomaly detection by assessing deviations of empirical measures. IEEE/ACM Trans Netw 17(3):685–697
Ryutov T, Neuman C, Dongho K et al (2003) Integrated access control and intrusion detection for web servers. IEEE Trans Parallel Distrib Syst 14(9):841–850
Shon T, Moon, J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci 177(18):3799–3821
Wang G, Antar G, Devynck P (2000) The Hurst exponent and long-time correlation. Phys Plasmas 7:1181
Adas A (1997) Traffic models in broadband networks. IEEE Commun Mag 35(7):82–89
Amaral L, Ottino J (2004) Complex networks. Eur Phys J B, Condens Matter Complex Syst 38(2):147–162
Wei X, Han-ping H, Yue Y (2007) Anomaly detection of network traffic based on autocorrelation principle. J Commun Comput 4(8):15–19
Denning D (1987) An intrusion-detection model. IEEE Trans Softw Eng 13(2):222–232
Lane T, Brodley C (1999) Temporal sequence learning and data reduction for anomaly detection. ACM Trans Inf Syst Secur 2(3):295–331
Ghosh A, Schwartzbard A, Schatz M (1999) Learning program behavior profiles for intrusion detection. In: USENIX workshop on intrusion detection and network monitoring, Santa Clara, CA, pp 51–62
Forrest S, Hofmeyr S, Somayjia A (1997) Commun ACM, Comput Immunol 40(10):88–96
Zhang Y, Lee W (2000) Intrusion detection in wireless ad-hoc networks. In: Proc MobiCom. ACM Press, New York, pp 275–283
Barford P, Kline J, Plonka D et al (2002) A signal analysis of network traffic anomalies. In: Proc of the ACM SIGCOMM workshop on internet measurement, Marseille, France. ACM Press, New York, pp 71–82
Paschalidis I, Vassilaras S (2001) On the estimation of buffer overflow probabilities from measurements. IEEE Trans Inf Theory 47(1):178–191
Paschalidis I, Vassilaras S (2001) Model-based estimation of buffer overflow probabilities from measurements. ACM SIGMETRICS Perform Eval Rev 29(1):154–163
Rawat S, Gulati V, Pujari A (2005) A fast host-based intrusion detection system using rough set theory. Trans Rough Sets IV:144–161
Liao Y, Vemuri V (2002) Use of K-Nearest Neighbor classifier for intrusion detection. Comput Secur 21(5):439–448
Lee W, Xiang D (2001) Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE symposium on security and privacy, pp 130–143
Yue Y, Han-Ping H, Wei X et al (2010) Network traffic anomaly detection method based on a feature of catastrophe theory. Chin Phys Lett 27(6):060501
Lin J, Yang X, Long K et al (2008) Catastrophe model construction and verification for network anomaly detection. In: Proc. SPIE, p 71371Q–8
Thom R (1977) Structural stability, catastrophe theory, and applied mathematics. SIAM Rev 19(2):189–201
Jammernegg W, Fischer E (1986) Economic applications and statistical analysis of the cusp catastrophe model. Math Methods Oper Res 30(2):45–58
Clair S (1998) A cusp catastrophe model for adolescent alcohol use: an empirical test. Nonlinear Dyn Psychol Life Sci 2(3):217–241
Hoeffding W (1965) Asymptotically optimal tests for multinomial distributions. Ann Math Stat 36(2):369–401
Evans M, Hastings N, Peacock B et al (1993) Statistical distributions. Wiley, New York
Lawless J (1982) Statistical models and methods for lifetime data. Wiley, New York
Meeker W, Escobar L (1998) Statistical methods for reliability data. Wiley, New York
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
About this article
Cite this article
Xiong, W., Xiong, N., Yang, L.T. et al. An anomaly-based detection in ubiquitous network using the equilibrium state of the catastrophe theory. J Supercomput 64, 274–294 (2013). https://doi.org/10.1007/s11227-011-0644-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-011-0644-y